NordVPN Says Server Compromised Due to Misconfiguration

Virtual private network provider NordVPN says an error by a data center provider in Finland allowed an attacker to gain control of a server, but it says its broader service was not hacked. One security expert, however, says the attacker would have had "God mode" on one VPN node.

NordVPN says it "learned about the vulnerability the data center had [a] few months back." It says it initially chose not to publicly disclose the exploit "because we had to make sure that none of our infrastructure would be prone to similar issues." It didn't disclose the data center at issue.

"The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed," the company says. "We failed by contracting [an] unreliable service provider and must have done better to ensure the security of our customers."

Expert: Hack is More Serious

Security issues involving VPNs tend to strike a nerve because a compromise could potentially reveal someone's internet activity. There's also a dose of irony in that VPN services often tout their security advantages in marketing materials, and VPN providers aggressively compete for business.

1/3 In response to the TechCrunch article: a server was hacked, the service was not. None of the information available on one server can be used to decrypt the traffic of any other.

But the company's explanation fell flat for some, who warned that the material posted on Twitter points to a far direr situation - a compromised VPN node with full access by the attacker, writes Kenn White, a security expert and co-director of the Open Crypto Audit Project.

Missed detail in some of the online debate: based on the dumped pastebins, the Nord VPN not-a-hacker had full remote admin on their Finland node LXC containers. That's God Mode folks. And they didn't log and didn't detect it. I'd treat their all claims with great skepticism.

VPNs tunnel internet traffic between a user and a data center before it is routed to a destination. A user's ISP only sees encrypted web traffic, which offers greater privacy. Also, VPNs usually resolve DNS queries, again shielding those from the local ISP, which may offer a privacy advantage. But the privacy advantages hinge on the security of the VPN provider.

VPNs also mask a device's real IP addresses, instead displaying to a service the IP address of the VPN service. Most VPN providers offer a menu of data centers around the world to connect with, which allows people to access geo-blocked content or restricted services. VPNs are also popular in places where governments may censor content or monitor internet browsing, but they're not foolproof either, because they can be blocked.

Audits Underway

NordVPN says it has terminated its contract with the data center provider and "shredded all servers we had been renting from them."

The server in question was illegally accessed in March 2018. The server had been allocated to NordVPN in January 2018. The data center provider noticed it had left an insecure remote management system on the server and deleted it on March 20, 2018, but did not tell NordVPN, the company says.

A few months ago, NordVPN says its technical team discovered the undisclosed account. It says it held off notifying users while it audited its entire network. The server did not store user activity logs nor authentication credentials, it says.

"Once we found out about the incident, we immediately launched a thorough audit to check out the entire infrastructure," it says. "We double-checked that no other server could possibly be exploited this way and started creating a process of moving all of our servers to RAM, which is to be completed next year."

Also, a private TLS key for NordVPN's website was leaked. The key was taken at the same time as the server was exploited. That would have allowed an attacker to set up a spoofed website that appeared to be nordvpn.com or conduct man-in-the-middle attacks.

"However, the key couldn't possibly have been used to decrypt the VPN traffic of any other server," NordVPN says. "On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com."

As far as remediation, the company says it has undergone an application security audit, is working on a second no-logs audit and plans an external audit of its infrastructure next year. It also plans to start a bug bounty program.

Other VPN Hacks?

As NordVPN's problems became public, it appeared other VPN providers may have experienced trouble as well. A Twitter user going by the nickname cryptostorm tweeted an archived link to the notorious message board 8chan that had similar sensitive data for TorGuard and VikingVPN.

I've also confirmed that that TorGuard was compromised, this TLS certificate for *.torguardvpnaccess.com was leaked: https://t.co/k4RRFatVoF (expired Oct 2018).There's also an OpenVPN server key.(Again, someone gained root access on the server)

On Monday, TorGuard, which is based in Orlando, Fla., says that a single server "that was compromised was removed from our network in early 2018, and we have since terminated all business with the related hosting reseller because of repeated suspicious activity."

The reseller was Collective 7, a hosting company based in Canada. That hosting company's name is revealed in a federal lawsuit TorGuard filed in Florida in June against NordVPN over alleged blackmail claims.

TorGuard alleges that in cooperation with Collective 7, NordVPN threatened to release "confidential and trade secret information," the lawsuit says. TorGuard alleges that NordVPN wanted it to push one of its VPN affiliates, Tom Spark Reviews, "to remove negative content from YouTube regarding their own VPN brand," according to a blog post. TorGuard also alleges that NordVPN orchestrated a distributed denial-of-service attack against it intended to disrupt sales.

TorGuard maintains that despite the hacked server "TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident," it says in the Monday blog post.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.in, you agree to our use of cookies.